# create a new proxy server

- import_playbook: "/srv/web/infra/ansible/playbooks/include/virt-create.yml myhosts=proxies:proxies-stg:!proxy07.fedoraproject.org:!proxy05.fedoraproject.org"

- name: make the box be real
  hosts: proxies-stg:proxies
  user: root
  gather_facts: True

  vars_files:
   - /srv/web/infra/ansible/vars/global.yml
   - "/srv/private/ansible/vars.yml"
   - /srv/web/infra/ansible/vars/{{ ansible_distribution }}.yml

  roles:
  - base
  - fas_client
  - rkhunter
  - nagios_client
  - collectd/base
  - sudo
  - rsyncd
  - { role: mirrormanager/mirrorlist_proxy,
      when: env == "staging" or "'mirrorlist-proxy' in group_names" }
  - { role: openvpn/client,
      when: env != "staging" }
  - { role: certbot,
      when: inventory_hostname == 'proxy01.phx2.fedoraproject.org' }
  - apache

  tasks:
  - name: install special fpaste.conf with letsencrypt info
    copy: src={{ files }}/httpd/fpaste.org.conf dest=/etc/httpd/conf.d/fpaste.org/fpaste.org.conf
    when: inventory_hostname == 'proxy01.phx2.fedoraproject.org'

  - name: setup link to letsencrypt certs on proxy01
    file: >
        path=/etc/pki/tls/certs/fpaste.org.intermediate.cert
        src=/etc/letsencrypt/live/fpaste.org/fullchain.pem
        state=link
    when: inventory_hostname == 'proxy01.phx2.fedoraproject.org'

  - name: setup link to letsencrypt certs on proxy01
    file: >
        path=/etc/pki/tls/certs/fpaste.org.cert
        src=/etc/letsencrypt/live/fpaste.org/cert.pem
        state=link
    when: inventory_hostname == 'proxy01.phx2.fedoraproject.org'

  - import_tasks: "{{ tasks_path }}/yumrepos.yml"
  - import_tasks: "{{ tasks_path }}/2fa_client.yml"
  - import_tasks: "{{ tasks_path }}/motd.yml"

  # You might think we would want these tasks_path on the proxy nodes, but they
  # actually deliver a configuration that our proxy-specific roles below then go
  # and overwrite... so, let's just leave them out.
  #- import_tasks: "{{ tasks_path }}/apache.yml"
  #- import_tasks: "{{ tasks_path }}/mod_wsgi.yml"

  handlers:
  - import_tasks: "{{ handlers_path }}/restart_services.yml"


  # TODO
  #
  # - fedora-web::build (bapp0*)
  # - fedora-docs::build (bapp0*)
  # - review-stats::build (bapp0*)
  # - membership-map::build (bapp0*)
  #
  ## TBD
  # - sysctl ip_conntrack_max bits  - do we still need this on rhel7?
  # - semanage ports.. we're likely going to need one for every app.
  # - sebooleans.. let's try running first, see what gets blocked, and then
  #                selectively enable where semanage port fails
  #
  ## Not going to do
  # - smolt::proxy -- note going to do this.  smolt is dead.  long live smolt.
  # - domainnotarget stuff - only smolt used this


- name: Set up the proxy basics
  hosts: proxies-stg:proxies
  user: root
  gather_facts: False

  vars_files:
   - /srv/web/infra/ansible/vars/global.yml
   - "/srv/private/ansible/vars.yml"
   - /srv/web/infra/ansible/vars/{{ ansible_distribution }}.yml

  handlers:
  - import_tasks: "{{ handlers_path }}/restart_services.yml"

  pre_tasks:
  #
  # When we have a prerelease we also need to drop the config files.

  - name: Remove prerelease-to-final-spins-1
    file: path=/etc/httpd/conf.d/spins.fedoraproject.org/prerelease-to-final-spins-1-redirectmatch.conf state=absent
    tags:
    - httpd/redirect
#    when: env == 'staging'

  - name: Remove prerelease-to-final-spins-2
    file: path=/etc/httpd/conf.d/spins.fedoraproject.org/prerelease-to-final-spins-2-redirectmatch.conf state=absent
    tags:
    - httpd/redirect
#    when: env == 'staging'

  - name: Remove prerelease-to-final-labs-1
    file: path=/etc/httpd/conf.d/labs.fedoraproject.org/prerelease-to-final-labs-1-redirectmatch.conf state=absent
    tags:
    - httpd/redirect
#    when: env == 'staging'

  - name: Remove prerelease-to-final-labs-2
    file: path=/etc/httpd/conf.d/labs.fedoraproject.org/prerelease-to-final-labs-2-redirectmatch.conf state=absent
    tags:
    - httpd/redirect
#    when: env == 'staging'

  - name: Remove prerelease-to-final-arm-1
    file: path=/etc/httpd/conf.d/arm.fedoraproject.org/prerelease-to-final-arm-1-redirectmatch.conf state=absent
    tags:
    - httpd/redirect
#    when: env == 'staging'

  - name: Remove prerelease-to-final-arm-2
    file: path=/etc/httpd/conf.d/arm.fedoraproject.org/prerelease-to-final-arm-2-redirectmatch.conf state=absent
    tags:
    - httpd/redirect
#    when: env == 'staging'

  - name: Remove prerelease-to-final-gfo
    file: path=/etc/httpd/conf.d/getfedora.org/prerelease-to-final-gfo-redirectmatch.conf state=absent
    tags:
    - httpd/redirect
#    when: env == 'staging'

  - name: Remove prerelease-to-final-spins
    file: path=/etc/httpd/conf.d/spins.fedoraproject.org/prerelease-to-final-spins-redirectmatch.conf state=absent
    tags:
    - httpd/redirect
#    when: env == 'staging'

  - name: Remove prerelease-to-final-labs
    file: path=/etc/httpd/conf.d/labs.fedoraproject.org/prerelease-to-final-labs-redirectmatch.conf state=absent
    tags:
    - httpd/redirect
#    when: env == 'staging'

  - name: Remove prerelease-to-final-arm
    file: path=/etc/httpd/conf.d/arm.fedoraproject.org/prerelease-to-final-arm-redirectmatch.conf state=absent
    tags:
    - httpd/redirect
#    when: env == 'staging'

  roles:
  - httpd/mod_ssl
  - httpd/proxy
  - varnish
  #
  # Re-run hosts here so things are ok for the haproxy check
  #
  - hosts

# After setting up the "basics" of the proxy hosts above, here below we break
# out the proxy-specific configuration into a couple different sub-playbooks.
# Othewise, this file would be unbearably long.

- import_playbook: /srv/web/infra/ansible/playbooks/include/proxies-certificates.yml
- import_playbook: /srv/web/infra/ansible/playbooks/include/proxies-websites.yml
- import_playbook: /srv/web/infra/ansible/playbooks/include/proxies-fedorahosted.yml
- import_playbook: /srv/web/infra/ansible/playbooks/include/proxies-fedora-web.yml
- import_playbook: /srv/web/infra/ansible/playbooks/include/proxies-reverseproxy.yml
- import_playbook: /srv/web/infra/ansible/playbooks/include/proxies-rewrites.yml
- import_playbook: /srv/web/infra/ansible/playbooks/include/proxies-redirects.yml
- import_playbook: /srv/web/infra/ansible/playbooks/include/proxies-haproxy.yml
- import_playbook: /srv/web/infra/ansible/playbooks/include/proxies-miscellaneous.yml

- name: Make sure we are deployed fully
  hosts: proxies-stg:proxies
  user: root
  gather_facts: False

  vars_files:
   - /srv/web/infra/ansible/vars/global.yml
   - "/srv/private/ansible/vars.yml"
   - /srv/web/infra/ansible/vars/{{ ansible_distribution }}.yml

  handlers:
  - import_tasks: "{{ handlers_path }}/restart_services.yml"

  pre_tasks:
  #
  # If this is an initial deployment, we need the initial ticketkey
  # If it's not, doesn't hurt to copy it over again
  #
  - name: deploy ticket key
    copy: src=/root/ticketkey_{{env}}.tkey dest=/etc/httpd/ticketkey_{{env}}.tkey
          owner=root group=root mode=0600
    notify:
    - reload proxyhttpd

  #
  # If this is an initial deployment, make sure docs are synced over.
  # Do not count these as changed ever
  #
  - name: make sure docs are synced. This could take a very very very logtime to finish
    shell: /usr/local/bin/lock-wrapper docs-sync "/usr/local/bin/docs-rsync" >& /dev/null
    changed_when: false
    ignore_errors: true

  - name: make sure selinux contexts are right on srv
    command: restorecon -R /srv
    changed_when: false
